From Host Card Emulation (HCE) and tokenization, to empowering organizations to become their own Token Service Provider (TSP), Rambus Bell ID software provides a comprehensive, mobile payment solution to banks and retailers worldwide that loads and manages payment credentials on Near Field Communication (NFC)-based smartphones and connected devices. Learn more about Security

Featuring comprehensive solutions for both physical and virtual smart cards, the Rambus Smart Ticketing suite of products, including technology from Ecebs, offer secure and easy-to-implement solutions for any transport scenario, including rail, bus, and ferry. Learn more about Security

Made for high speed, reliability and power efficiency, our DDR3 and DDR4 chipsets, recently acquired from Inphi, for RDIMM and LRDIMM server modules deliver top-of-the-line performance and capacity for the next wave of enterprise and data center servers. Learn more about Memory + Interfaces

With their reduced power consumption and industry-leading data rates, our line-up of memory interface IP solutions support a broad range of industry standards with improved margin and flexibility. Learn more about Memory + Interfaces

Inspired by the innovative thinking at the heart of Rambus Labs, the Emerging Solutions division at Rambus works to translate extraordinary theory into everyday practice. Learn more about Emerging Solutions

Understanding cyber insurance and the IoT

Understanding cyber insurance and the IoT

This entry was posted on Thursday, March 30th, 2017.

Written by Asaf Ashkenazi for Rambus

Denise Johnson of Claims Journal recently observed that there has been a noticeable jump in spearfishing and ransomware incidents. Concurrently, data security has weakened due to an increase in connected and mobile devices. As such, it has become critical for businesses and insurers to fully understand how to effectively protect themselves against such attacks.

“That’s according to an expert panel discussion held during the American Bar Association Torts annual insurance coverage litigation mid-year program,” writes Johnson. “[For example], Lisa Phillips, a national practice advisor for the Wells Fargo Insurance Errors & Omissions Cyber Group, said the structure of cyber policies varies according to the party protected.”

Clearly, there are many ‘known unknowns’ when it comes to understanding the full extent of cyber insurance liability and coverage. As the cyber insurance industry continues to evolve, precisely defining the boundaries of a cyber-attack and subsequent damage will become more difficult. Moreover, insurance companies are likely to demand that policy holders meet certain standard security practices and implementation to qualify for coverage. Multiple exclusions and limitation of compensation for direct damage (for example, loss of potential business due to an outage) may force claimants to accept far less than they were expecting.

Adding an Internet of Things (IoT) dimension to an already uncertain cyber insurance model raises many questions, while altering the current status quo for both the insurer and claimant. For example, how will cyber insurance impact automotive insurance? Will premiums increase every time there is a major risk or hacking event? Will premium rates be affected by the inclusion or exclusion of remote control connectivity?

To limit their liability (which is likely to be extensive), cyber insurance companies will almost certainly want to know specific security details, such as what (effective) mechanisms are put in place to restrict unauthorized access to devices and systems. This paradigm could very well start with vehicles and ultimately extend to a range of devices, including refrigerators, ovens, dryers and washing machines. Of course, the industry will have to determine the warranty limitations of connected appliances. For example, what happens if a washing machine or refrigerator is remotely disabled because the owner didn’t adequately protect the appliance from digital intruders? Who is held liable?

As the Jeep Chrysler hack illustrates, a manufacturer may not intend for a device or system to support remote access to certain functions. Nevertheless, malicious attackers can still hack and change default settings. For example, the unauthorized remote injection of stealth code can enable unauthorized digital entry to restricted areas of a device or system – resulting in significant changes to access levels along with the creation of exploitable vulnerabilities.

In conclusion, the cyber insurance paradigm is evolving to meet an ever-increasing threat landscape crowded with vulnerable IoT devices. Although there are more questions than answers about the future parameters of cyber insurance, increased security measures will undoubtedly play a critical role in defining the contours of future policies.